This report is based on what has been written on BINUS Website in the original Indonesian version. The Focus Group Discussion took place on 11th August 2018 in Kuala Lumpur. The participants were Prof. Dr. Shidarta, Prof. Dr. Bambang Pratama, and Reinhard Christian Surya from BINUS Law School, Jakarta and myself. The main topic was on the the right to be forgotten.
I reckoned in that meeting that the regulation on right to be forgotten as introduced in the latest 2016 amendment to the Indonesian e-transactions laws (namely UU ITE in Indonesian) was a drastic development bearing in mind that there is still no comprehensive legislation in Indonesia dealing with the protection of personal data which is now increasingly becoming a new global norm. In my view, Indonesia should first settle with the currently ongoing debate on the draft bill of the Personal Data Protection law.
Right to be forgotten is indeed a sub-set of many rights relating to personal data processing of an individuals. In many laws, this right to be forgotten is interchangeably discussed with the right to data deletion.
In Malaysia this right is impliedly given because it mandates every data user (those who process personal data of individuals) to ensure data are deleted when they are no longer necessarily required. Similar provisions can be found in the laws of other countries such as UK, Hong Kong and Singapore. In Indonesia, there is still no law (Undang-undang) which defines and lays down similar requirements.
Indonesia slowly emerges to put some regulations in place pertaining to the cyberspace activities. Few laws and regulations now come up that address personal data protection (PDP). In this first post, I would like to highlight some rules of personal data protection law as found in the first Indonesian cyberlaw, i.e. Law on e-Information and e-Transaction.
Law No. 11/2008 (“UU-ITE”)
First is the “Undang-undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik” (popularly known as UU-ITE in Indonesian) or the Law No. 11 Year 2008 on the Electronic Information and Electronic Transaction (“Law No. 11/2008”).
This Law only has one section that addresses the issues of informational privacy or personal data protection, namely section 26. I had written some comments on this provision in my previous blog. In sum, section 26(1) provides for a general rule that consent is required whenever personal data is being electronically “used” (instead of “processed” – see my comments below). Section 26(2) provides that any breach or infringement of section 26(1) can be a basis for remedies.
Article 26 of the Law No. 11/2008 on the Electronic Information and Electronic Transaction (UU-ITE) stipulates that:
(1) Otherwise stipulated by the laws and regulations, the use of any information by means of electronic media relating to someone’s personal data shall be carried out with the approval from the person concerned.
(2) Every person whose privacy right is infringed upon as referred to in clause(1), may file a law-suit [action-added] for the loss incurred based on this Law. (As translated by the Ministry of Communication and Information Technology).
Meanwhile, the statutory elucidation of the Act explains that this provision is an acknowledgement of the privacy right protection. It goes on explaining that, the meaning of privacy right includes the following:
A right to enjoy a private life free from interference;
A right to communicate with other persons free from spying/surveillance;
A right to access to information about his private life and private information.